Is it your identity or not?

Tom de Jongh, Control Break International

Identity theft remains one of today's most talked about topics. Tom de Jongh, director of marketing EMEA, Control Break International, investigates how data encryption can help to prevent identity theft.

Valuable information is increasingly stored centrally, but apparently users often are unaware of the place(s) their data resides. All too commonly much of this information is not secure, and unauthorized users may be able to access it, for example, by hacking a network or stealing backup tapes, computers or laptops. Consequently a user's name, credit card number and social security number can be seized in the blink of an eye.

Security breaches

In June 2005 the world was shocked by a security breach at CardSystems, a third-party clearing centre for transactions that transferred money between banks to settle credit card purchases. A network hack affected more than 40 million customer accounts worldwide from various credit card brands, including Visa and MasterCard. Unfortunately breaches occur constantly, albeit mostly on a more modest scale and at a more regional level.

Is this new?

Identity theft is not something that has only recently hit the news and is hyped by the media. Consider these figures:

  • The US Federal Trade Commission (FTC) says identity theft is its number one source of consumer complaints - 42% of all complaints in 2001, for example.
  • In January 2001 reported, 'Every 79 seconds, a thief steals someone's identity, opens accounts in the victim's name and goes on a buying spree.' Hence this has been happening for some time now. But how could identity theft pose a threat for so long?

Perimeter thinking

Most people understand that the internet poses some security risks. This is the reason why users and PCs and networks. Additionally firewalls help prevent 'Trojan horses' from getting into the network, while virtual private networks (VPNs) ensure information sent from laptop or PDA over the internet to a corporate LAN, for instance, is secure.

Users and organizations build seemingly impenetrable walls around networks and machines so no unauthorized users from outside can get in. This is what might be called 'perimeter thinking'. However does this approach guarantee that sensitive data is safe?

What if the great wall is breached?

What happens if an unauthorized user breaches a user's or organization's perimeter? A single security breach can potentially expose an entire network and all the data stored in it; a Trojan looks for valuable user data and can spread without any boundaries within a network.

In the recent CardSystems breach, for example, information was taken from the database by running a simple script designed to achieve a known result. According to MasterCard, this breach is the largest identity theft to date, potentially affecting one out of every seven credit cards issued in the US.

How is the great wall breached?

Breaches of users' and organizations' security perimeter by means of hacking, as in the case of the CardSystems, are well known. However, there are many other security risks and methods of identity theft that threaten sensitive data.

Peer-to-peer sharing programs running in the network, such as Kazaa, can expose sensitive information, because total hard disks or network shares extend across all internet-connected machines of participating users.

Of course the ports that Kazaa uses are blocked in the company firewall, which, for the most part, takes care of this threat. However what if a user copies the data on a laptop or home computer and runs peer-to-peer programs from an internet-connected machine at home?

Copying information from a 'secure' network onto mobile devices, such as laptops, and removable storage media is another way of inadvertently making data available to unauthorized users.

Examples of extremely high-risk storage media are laptops, memory sticks and CDs. Today these devices can store enormous amounts of data and are a common target of many wrongdoers, who may try to access the data after stealing portable media or devices.

The universal answer to identity theft

What to do? Quite simply, the answer is securing sensitive data itself, rather than the network, machines or removable storage on which data resides. There are several ways of doing this. For example there are strategies that instruct users not to store data in certain areas of the network or on mobile devices and home computers.

This strategy, however, leaves the decision to do so or not with the end-user and limits users' day-to-day operations. Companies in today's economic and business climate do not prefer this solution, in part because history teaches that this is neither trustworthy nor totally effective.

A more effective way to secure sensitive data is to put technical measures in place, specifically content-based data encryption. When correctly designed and implemented, this can secure data very effectively while not interfering with end-users' day-to-day operations. Even more importantly, it can enforce policies upon the enduser, ensuring compliance.

Important considerations

When choosing and implementing a content-based data encryption solution, there are a few things to consider.

Persistence and transparency

It is very important that end-users are not hindered in their operations. Persistent Encryption Technology (PET) can achieve this. Key elements of this technology are:

  • on-the-fly encryption and decryption;
  • transparency to end-users;
  • encryption travels with the files and folders.

Centralized management

A network normally consists of many clients and machines. All of these should have policies that stipulate what a user can and cannot do. Rolling out these policies and managing changing policies should be done centrally to minimize the workload for the administrators and to achieve the lowest possible total cost of ownership (TCO).

Connection to enterprise systems

A content-based encryption solution will probably not be the only security solution in place. A single point of administration and a single identity (one username and password - Single Sign-On [SSO] - along with optional smart cards or tokens) for each person and system are key in achieving end-user satisfaction and the lowest possible TCO. Connections to existing identity management systems such as Microsoft Active Directory®, Microsoft PKI and Entrust PKI are, therefore, very important.

Fail-safe recovery

Finally data must be protected from unauthorized persons, anytime and anywhere. What happens, for example, if a user forgets their password or smart card and needs to give an important presentation in Japan while unable to access their presentation file? It is paramount to have recovery procedures in place to ensure the availability of data at any time and any place. Challenge/response mechanisms are a proven method for secure recovery.